The Mirage file portal runs on Windows Server 2008 or later. You must protect this host from normal OS vulnerabilities.

Use spyware filters, intrusion detection systems, and other security measures mandated by your enterprise policies.

Ensure that all security measures are up-to-date, including OS patches.

Table 1. Protection Configuration for Code MFP01

Configuration Element

Description

Code

MFP01

Name

Keeps the Mirage file portal properly patched.

Description

By staying up-to-date on OS patches, OS vulnerabilities are mitigated.

Risk or control

If an attacker gains access to the system and reassigns privileges on the Mirage file portal, the attacker can access all files transferring through the Mirage file portal.

Recommended level

Enterprise

Condition or steps

Employs a system to keep the Mirage file portal up -to-date with patches, in accordance with industry-standard guidelines, or internal guidelines where applicable.

Table 2. Protection Configuration for Code MFP02

Configuration Element

Description

Code

MFP02

Name

Provide OS protection on the Mirage file portal host.

Description

By providing OS-level protection, vulnerabilities to the OS are mitigated. This protection includes antivirus, anti-malware, and other similar measures.

Risk or control

If an attacker gains access to the system and reassigns privileges on the Mirage file portal, the attacker can access all files transferring through the Mirage file portal.

Recommended level

Enterprise

Condition or steps

Provides OS protection, such as antivirus, in accordance with industry-standard guidelines, or internal guidelines where applicable.

Table 3. Protection Configuration for Code MFP03

Configuration Element

Description

Code

MFP03

Name

Restrict privilege user login.

Description

The number of privilege users with permission to log in to the Mirage file portal as an administrator should be minimal.

Risk or control

If an unauthorized privilege user gains access to the Mirage file portal then the system is vulnerable to unauthorized modification of downloading files.

Recommended level

Enterprise

Condition or steps

Create specific privilege login accounts for individuals. Those accounts should be part of the local administrators' group.

Table 4. Protection Configuration for Code MFP04

Configuration Element

Description

Code

MFP04

Name

Implement an administrative password policy.

Description

Set a password policy for all Mirage file portal. The password should include certain parameters.

  • A minimum password length

  • Require special character types

  • Require periodic change of the password

Risk or control

If an unauthorized privilege user gains access to the Mirage file portal then the system is vulnerable to unauthorized modification.

Recommended level

Enterprise

Condition or steps

Set a password policy for the Mirage file portal.

Table 5. Protection Configuration for Code MFP05

Configuration Element

Description

Code

MFP05

Name

Remove unnecessary network protocol.

Description

The Mirage file portal only uses IPv4 communication. You should remove other services, such as file and printer sharing of NFS, Samba server, Novell IPX, and so on.

Risk or control

If unnecessary protocols are enabled, the Mirage file portal is more vulnerable to network attacks.

Recommended level

Enterprise

Condition or steps

In the Control Panel or the administrative tool of the Mirage file portal operating system, remove or uninstall unnecessary protocols.

Table 6. Protection Configuration for Code MFP06

Configuration Element

Description

Code

MFP06

Name

Disable unnecessary services.

Description

The Mirage file portal requires a minimal number of services for the OS. When you disable unnecessary services you enhance security. This prevents the services from automatically starting at boot time.

Risk or control

If unnecessary services are running, the Mirage file portal is more vulnerable to network attack.

Recommended level

Enterprise.

Condition or steps

Verify that no server roles are enabled. Disable any services that are not required. There are various Windows services on Server 2008 that start by default and are not required. You should disable these services.

  • Application Experience

  • Application Management

  • Certificate Propagation

  • Com+ Event System

  • DHCP Client

  • Distributed Link Tracking Client

  • Distributed Transaction Coordinator

  • Diagnostic Policy Service

  • IPsec Policy Agent

  • Print Spooler

  • System Event Notification

The Mirage file portal is generally deployed in a DMZ or an internal data center to control browser access and user data over potentially hostile network, such as the Internet. In a DMZ or internal data center it is important that you use a firewall to control network protocol access.

Table 7. Protection Configuration for Code MFP07

Configuration Element

Description

Code

MFP07

Name

Use an external firewall in the DMZ to control network access.

Description

The Mirage file portal is usually deployed in a DMZ. You must control which protocols and network ports are permitted so that communication with Mirage file portal is restricted to the required minimum. Mirage file portal automatically sends requests to .Mirage Management servers within a data center and ensure that all forwarded traffic is on behalf of authenticated users.

Risk or control

Allowing unnecessary protocols and ports might increase the possibility of an attack by a malicious user, especially for protocols and ports for network communication from the Internet.

Recommended level

Configure a firewall on either side of the Mirage file portal to restrict protocols and network ports to the minimum set required between browsers and Mirage data storage.

You should deploy the Mirage file portal on an isolated network to limit the scope of frame broadcasts. This configuration can help prevent a malicious user on the internal network from monitoring communication between the Mirage file portal and the Mirage Management server.

You might want to use advanced security features on your network switch to prevent malicious monitoring of Mirage Gateway communication with Mirage servers, and to guard against monitoring attacks, such as ARP Cache Poisoning.

Parameter or objects configuration

For more information about the firewall rules that are required for a DMZ deployment, see the VMware Mirage Installation Guide.

Table 8. Protection Configuration for Code MFP08

Configuration Element

Description

Code

MFP08

Name

Do not use default, self-signed server certificates on theMirage file portal.

Description

When you first install the Mirage file portal, the HTTPS server is unable to work until signed certificates are prepared. The Mirage file portal and the HTTPS server require SSL server certificates signed by a commercial Certificate Authority (CA) or an organizational CA.

Risk or control

Using self-signed certificates leaves the SSL/TSL connection more vulnerable to man-in-the-middle attacks. Applying certificates to trusted CA signed certificates mitigates the potential for these attacks.

Recommended level

Enterprise

Condition or steps

For more information about setting up Mirage file portal certificates, see the VMware Mirage Installation Guide.

Test

Use a vulnerability scanning tool to connect the Mirage file portal. Verify that it is signed by the appropriate CA.